Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 VPN client LAN access problem


I'm not expert in ASA and routing so I ask some support the following case.

There is a Cisco VPN client (running on Windows 7) and an ASA5505.

The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.

The Skype works well but I cannot access devices in the interface inside via VPN connection.

Can you please check my following config and give me advice to correct NAT or VPN settings?

ASA Version 7.2(4)


hostname ciscoasa

domain-name default.domain.invalid

enable password wDnglsHo3Tm87.tM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit tcp any

access-list inside_access_in extended permit udp any

access-list outside_access_in extended permit ip any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool VPNPOOL mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

nat (inside) 1

nat (outside) 1

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd dns xx.xx.xx.xx interface inside

dhcpd enable inside


group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server value

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem enable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none


  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy XXXXXX internal

group-policy XXXXXX attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

split-tunnel-network-list none

username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15

username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0

username XXXXXX attributes

vpn-group-policy XXXXXX

username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15

tunnel-group XXXXXX type ipsec-ra

tunnel-group XXXXXX general-attributes

address-pool VPNPOOL

default-group-policy XXXXXX

tunnel-group XXXXXX ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp


service-policy global_policy global

prompt hostname context


: end


Thanks in advance!



Accepted Solutions

ASA 5505 VPN client LAN access problem

config#no nat (inside) 1 < This is not required.

Need to add - config#same-security-traffic permit intra-interface

                                 #access-list extended nonat permit ip

                                 #nat (inside) 0 access-list nonat

Please add and test it.




ASA 5505 VPN client LAN access problem

config#no nat (inside) 1 < This is not required.

Need to add - config#same-security-traffic permit intra-interface

                                 #access-list extended nonat permit ip

                                 #nat (inside) 0 access-list nonat

Please add and test it.



New Member

ASA 5505 VPN client LAN access problem

Hi Ajay!

Thank you for fast answer!!! It was very helpful!

The correct access list command #access-list nonat extended  permit ip

The new config works like a charm

Best regards,


ASA 5505 VPN client LAN access problem

Good to hear that

CreatePlease login to create content